> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vigolium.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vigolium Overview

> Vigolium is a high-fidelity web vulnerability scanner written in Go. It combines deterministic, module-based scanning with AI-driven agentic analysis to provide broad and deep coverage of web application security issues.

<Frame caption="Vigolium Workbench, scan overview with severity breakdown and finding details">
  <img src="https://mintcdn.com/vigolium/zoiYo6Ai1Y8VJhNS/images/vigolium-main-workbench.png?fit=max&auto=format&n=zoiYo6Ai1Y8VJhNS&q=85&s=ce742509a2fdc2c1959da3a6d7358d99" alt="Vigolium Workbench showing scan overview with severity breakdown and individual finding details" width="3416" height="2292" data-path="images/vigolium-main-workbench.png" />
</Frame>

Vigolium is a high-fidelity web vulnerability scanner that fuses agentic AI with native speed, modularity, and precision. It combines deterministic multi-phase scanning with AI-driven autonomous analysis to deliver comprehensive security coverage, from injection flaws and access control issues to framework-specific vulnerabilities and blind out-of-band attacks.

The platform is built around three key components that work together to provide a complete vulnerability scanning solution.

## <Icon icon="puzzle-piece" /> Key Components

<Columns cols={3}>
  <Card title="Vigolium CLI" icon="terminal">
    The core scanning engine. Handles all scanning logic, module execution, and heavy lifting, from content discovery and browser-based spidering to active fuzzing and agentic AI scanning.
  </Card>

  <Card title="Vigolium Workbench" icon="desktop">
    A self-hosted dashboard for visualizing scan results, managing projects, and tracking findings across your infrastructure. Deploy it on your own servers for full control over your data.
  </Card>

  <Card title="Vigolium Console" icon="cloud">
    A cloud-based solution that provides managed scanning, team collaboration, and centralized reporting without the overhead of self-hosting.
  </Card>
</Columns>

## <Icon icon="radar" /> Scanning Mode

### Agentic Scan

Agentic scanning uses AI agents to drive or augment the scanning process. Invoked via `vigolium agent <mode>`. All AI dispatch is routed through the in-process **olium** engine, which supports eleven providers: `openai-codex-oauth`, `anthropic-api-key`, `anthropic-oauth`, `openai-api-key`, `openai-responses`, `anthropic-cli`, `anthropic-claude-sdk-bridge`, `anthropic-compatible`, `anthropic-vertex`, `google-vertex`, and `openai-compatible` (Ollama / OpenRouter / LM Studio / vLLM).

| Mode          | Command                                 | Description                                                                                                                                                                                                                                                                                                  |
| ------------- | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Query**     | `vigolium agent query`                  | Single-shot prompt execution. Good for code review, endpoint discovery, secret detection. No network scanning.                                                                                                                                                                                               |
| **Autopilot** | `vigolium agent autopilot`              | Autonomous AI-driven pentest. The olium engine discovers endpoints, runs scans, and triages findings on its own, driving bash, file ops, and the vigolium CLI until it calls `halt_scan`. Supports diff-focused runs (`--diff`), `--intensity` preset bundles, and session resume.                           |
| **Swarm**     | `vigolium agent swarm`                  | AI-guided pipeline for targeted single-request or full-scope (`--discover`) scanning. The master agent selects modules, generates custom JS scanner extensions, runs code audit and SAST, executes scans, and triages results, with native Go handling the heavy lifting while AI intervenes at checkpoints. |
| **Audit**     | `vigolium agent audit`                  | Unified driver dispatcher for whitebox security audits — runs the embedded vigolium-audit harness, the standalone piolium harness, or both side-by-side under one parent scan. Modes: lite / balanced / deep.                                                                                                |
| **Piolium**   | `vigolium agent audit --driver=piolium` | Pi-native whitebox audit driver, up to 17 phases at `deep`. Requires the `pi` runtime and the `piolium` extension installed separately.                                                                                                                                                                      |
| **Olium**     | `vigolium olium` / `vigolium ol`        | Interactive TUI chat or one-shot non-interactive prompt, the underlying agent runtime.                                                                                                                                                                                                                       |

All scan-oriented modes support `--source` for source-aware analysis and store session artifacts (plans, extensions, output) under `~/.vigolium/agent-sessions/`. See [Setting Up the Agent](/getting-started/setup-agent) for provider setup.

<Warning>
  Agent mode runs with **no sandbox**: the LLM has full shell, file, and network access on the host, and extensions can run arbitrary commands. Run agent mode in a disposable container or VM scoped to your engagement. See the [Security Warning](/others/security-warning) before you start.
</Warning>

### Native Scan

Deterministic, multi-phase vulnerability scanning via `vigolium scan`. Fast, modular, and repeatable, runs content discovery, browser spidering, SPA crawling, and active/passive `dynamic-assessment` phases with **313 scanner modules** (198 active, 115 passive).

| Category                        | Coverage                                                                                                                                                                                                                                                                                              |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Injection**                   | XSS (reflected, DOM-based, SSR hydration), SQL injection (error-based, boolean/time-blind), NoSQL injection, SSTI/CSTI, CRLF injection, command injection, XXE/SAML, prototype pollution                                                                                                              |
| **Access Control**              | CSRF, IDOR, authorization bypass, mass assignment, forbidden bypass, HTTP method tampering                                                                                                                                                                                                            |
| **File & Path**                 | LFI, path traversal, file upload flaws, directory listing, backup/sensitive file discovery, path normalization bypass                                                                                                                                                                                 |
| **API & Protocol**              | GraphQL security suite (introspection, SQLi, IDOR/BOLA, DoS, batching), MCP server security (tool/resource/prompt fuzzing, session & origin checks), SSRF (direct & blind), open redirect, HTTP request smuggling, JWT vulnerabilities, JSONP callback, WebSocket security, race conditions           |
| **Framework-Specific**          | Spring Boot, Django, Laravel, Rails, Express, Next.js, Nuxt, Remix, ASP.NET/Blazor, IIS, Flask, FastAPI                                                                                                                                                                                               |
| **Enterprise & SaaS Platforms** | Adobe Experience Manager (dispatcher bypass, sensitive servlets, RCE-surface exposure, CVE probes), Salesforce Experience Cloud (Aura object/record exposure, guest Apex execution, Lightning debug mode), ServiceNow (widget & KB data exposure), Microsoft Power Pages (Dataverse Web API exposure) |
| **CMS**                         | WordPress (XML-RPC, user enum, AJAX exposure), Drupal, Joomla, CMS installer exposure                                                                                                                                                                                                                 |
| **Cloud & Infra**               | Firebase (RTDB, storage, auth, functions), cloud storage listing/takeover, default credentials, web cache poisoning, CORS misconfiguration                                                                                                                                                            |
| **Out-of-Band**                 | Blind vulnerabilities via OAST callbacks (blind SSRF, blind SSTI, OAST probes)                                                                                                                                                                                                                        |

***

## <Icon icon="terminal" /> Vigolium CLI

The CLI is the heart of Vigolium, powering all scanning operations with two complementary modes:

### CLI Highlights

* **Value-aware mutation**: classify parameter values by semantic type and generate intelligent mutations
* **Multi-phase pipeline**: external harvesting, content discovery, SPA crawling, and audit controlled by strategy presets
* **Scanning profiles**: bundle strategy, pace, scope, and module config into a single YAML file
* **Multiple input formats**: URLs, OpenAPI/Swagger, Postman, Burp Suite, cURL, Nuclei JSONL
* **Browser-based spider**: Chromium-driven crawler with SPA support, form filling, and JS analysis
* **Multi-session authentication**: inline sessions, session files, or full auth configs with login flows and token extraction
* **JavaScript extensions**: custom modules and hooks via embedded JS engine
* **Source-aware agentic scan**: pair `--source` with `swarm`, `autopilot`, or `audit` for code-context-aware AI scanning and audit
* **Concurrent architecture**: configurable worker pool with per-host rate limiting and hybrid queue
* **HTML reports**: self-contained HTML reports with sortable/filterable tables
* **API server mode**: REST API with Swagger UI, multi-format ingestion, transparent HTTP proxy

***

## <Icon icon="desktop" /> Vigolium Workbench

A self-hosted web dashboard that provides a visual interface for managing and analyzing your scan data. Deploy Workbench on your own infrastructure to maintain complete control over your vulnerability data while giving your team an intuitive way to:

* Browse and filter scan findings with severity breakdown per project
* Track vulnerability trends across repositories and scan history
* Manage multiple projects with multi-tenancy support
* View detailed request/response evidence for each finding

<Columns cols={2}>
  <Frame caption="Project overview with scan summary">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-1.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=1b5b5c796cc7b2b0599b8e2b1b422239" alt="Workbench project overview showing scan summary and severity counts" width="3824" height="2366" data-path="images/vigolium-ui-dashboard-1.png" />
  </Frame>

  <Frame caption="Findings list with filtering options">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-2.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=95e9fe18de264735a727b66cf86f8c41" alt="Workbench findings list with severity filters and search" width="3824" height="2158" data-path="images/vigolium-ui-dashboard-2.png" />
  </Frame>

  <Frame caption="Detailed finding view with request/response evidence">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-3.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=9ad18a0547a351fbe503be6119846b91" alt="Workbench detailed finding view showing HTTP request and response evidence" width="3824" height="2158" data-path="images/vigolium-ui-dashboard-3.png" />
  </Frame>

  <Frame caption="Scan history and trend tracking">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-4.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=4db776eeca0b23ec9c1231fdddc23feb" alt="Workbench scan history view with vulnerability trend tracking" width="3824" height="2158" data-path="images/vigolium-ui-dashboard-4.png" />
  </Frame>
</Columns>

<Columns cols={2}>
  <Frame caption="HTML report, summary with severity chart">
    <img src="https://mintcdn.com/vigolium/bNNIkqR-N7gw4AB_/images/vigolium-static-report-1.png?fit=max&auto=format&n=bNNIkqR-N7gw4AB_&q=85&s=7aba27cdbd14060961c450be78f50b84" alt="Self-contained HTML report showing vulnerability summary with severity chart" width="2624" height="2366" data-path="images/vigolium-static-report-1.png" />
  </Frame>

  <Frame caption="HTML report, sortable findings table">
    <img src="https://mintcdn.com/vigolium/bNNIkqR-N7gw4AB_/images/vigolium-static-report-2.png?fit=max&auto=format&n=bNNIkqR-N7gw4AB_&q=85&s=a6fdec8f272861d76bdd355246959d13" alt="Self-contained HTML report with sortable and filterable findings table" width="2624" height="2366" data-path="images/vigolium-static-report-2.png" />
  </Frame>
</Columns>

***

## <Icon icon="cloud" /> Vigolium Cloud Console

A cloud-based solution for teams that want the power of Vigolium without managing infrastructure. Console is the **upgraded, fully-featured version of Vigolium**, managed scanning, centralized reporting, team collaboration, and extra features layered on top of the open-source core, so you can focus on fixing vulnerabilities instead of maintaining tooling.

<Callout icon="rocket" color="#FFC107" iconType="regular">
  Check out the Cloud Console at [console.vigolium.com](https://console.vigolium.com/).
</Callout>

<Columns cols={2}>
  <Frame caption="Native scan results in Vigolium Console">
    <img src="https://mintcdn.com/vigolium/7sCvbc6tyfE0FRFM/images/vigolium-native-scan.png?fit=max&auto=format&n=7sCvbc6tyfE0FRFM&q=85&s=c8a94abe488e2008abfb50402b64251f" alt="Vigolium Console native scan view" width="2872" height="1750" data-path="images/vigolium-native-scan.png" />
  </Frame>

  <Frame caption="Agentic scan results in Vigolium Console">
    <img src="https://mintcdn.com/vigolium/7sCvbc6tyfE0FRFM/images/vigolium-agentic-scan.png?fit=max&auto=format&n=7sCvbc6tyfE0FRFM&q=85&s=8d0ae511bffadbd783755d278e052d28" alt="Vigolium Console agentic scan view" width="2872" height="1750" data-path="images/vigolium-agentic-scan.png" />
  </Frame>
</Columns>

<Columns cols={2}>
  <Frame caption="Project list with severity breakdown per repository">
    <img src="https://mintcdn.com/vigolium/INiehdljY0lmbxY9/images/vigolium-opensource-audit-list.png?fit=max&auto=format&n=INiehdljY0lmbxY9&q=85&s=e3f375460a4e4cc320091fafe49b682a" alt="Open-source audit project list" width="2624" height="2366" data-path="images/vigolium-opensource-audit-list.png" />
  </Frame>

  <Frame caption="Detailed findings view for an individual project">
    <img src="https://mintcdn.com/vigolium/INiehdljY0lmbxY9/images/vigolium-opensource-audit-blur.png?fit=max&auto=format&n=INiehdljY0lmbxY9&q=85&s=d8dd70495db5500b4f0035bb0a25beed" alt="Open-source audit findings detail" width="2624" height="2366" data-path="images/vigolium-opensource-audit-blur.png" />
  </Frame>
</Columns>

***

## <Icon icon="compass" /> Where to Go Next

| I want to...                          | Start here                                                                      |
| ------------------------------------- | ------------------------------------------------------------------------------- |
| Install the CLI and run my first scan | [Quickstart](/getting-started/quickstart)                                       |
| Pick the right mode for the job       | [Choosing a Scan Mode](/getting-started/choosing-a-mode)                        |
| Run one-shot scans (CI, ad-hoc)       | [Native Scan & Stateless Scanning](/getting-started/native-scan)                |
| Wire up AI providers                  | [Setting Up the Agent](/getting-started/setup-agent)                            |
| Understand how native scanning works  | [How It Works](/native-scan/how-it-works)                                       |
| Pick the right scanning strategy      | [Strategies](/native-scan/strategies)                                           |
| Dive into individual scan phases      | [Phases](/native-scan/phases/discovery), discovery, spidering, audit, extension |
| Try agentic scanning                  | [Agent Mode](/agentic-scan/agent-mode)                                          |
| Let AI drive scans autonomously       | [Autopilot](/agentic-scan/autopilot)                                            |
| Run multi-phase AI + native pipelines | [Swarm](/agentic-scan/swarm)                                                    |
| Audit source code in depth            | [Agentic Security Audit](/getting-started/agentic-security-audit)               |
| Chat with the agent runtime           | [Olium](/agentic-scan/olium)                                                    |
| Run Vigolium as an API server         | [Server Mode](/server-mode/running-the-server)                                  |
| Tweak scan settings                   | [Configuration](/getting-started/configuration)                                 |
| Export and format results             | [Output & Reporting](/getting-started/output-and-reporting)                     |
| Write custom JS extensions            | [Writing Extensions](/customization/writing-extensions)                         |
| Browse the REST API                   | [API Overview](/api-overview)                                                   |

***

For any inquiries, feel free to contact us at [contact@vigolium.com](mailto:contact@vigolium.com).
